Example: Enabling IDP in a Security Policy
This example shows how to configure two security policies to enable IDP services on all traffic flowing in both directions on the device.
Requirements
Before you begin:
- Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
- Create security zones. See Example: Creating Security Zones.
- Configure applications. See Example: Configuring IDP Applications and Services.
Overview
For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect. Security policies contain rules defining the types of traffic permitted on the network and the way that the traffic is treated inside the network. Enabling IDP in a security policy directs traffic that matches the specified criteria to be checked against the IDP rulebases.
To allow transit traffic to pass through without IDP inspection, specify a permit action for the rule without enabling the IDP application services. Traffic matching the conditions in this rule passes through the device without IDP inspection.
This example shows how to configure two policies, idp-app-policy-1 and idp-app-policy-2, to enable IDP services on all traffic flowing in both directions on the device. Policy idp-app-policy-1 directs all traffic flowing from previously configured zones Zone1 to Zone2 to be checked against IDP rulebases. The policy idp-app-policy-2 directs all traffic flowing from Zone2 to Zone1 to be checked against IDP rulebases.
![]() | Note: The action set in the security policy action must be permit. You cannot enable IDP for traffic that the device denies or rejects. |
Configuration
CLI Quick Configuration
To quickly configure two policies, idp-app-policy-1 and idp-app-policy-2, to enable IDP services on all traffic flowing in both directions on the device, copy the following commands and paste them into the CLI:
set security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1
set security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1 match source-address any destination-address any application any
set security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1 then permit application-services idp
set security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2
set security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2 match source-address any destination-address any application any
set security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2 then permit application-services idp
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure two policies, idp-app-policy-1 and idp-app-policy-2, to enable IDP services on all traffic flowing in both directions on the device:
- Create a security policy for traffic traversing
from Zone1 to Zone2.[edit]user@host# set security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1
- Specify the match conditions for the
traffic flowing in one direction[edit security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1]user@host# set match source-address any destination-address any application any
- Specify the action to be taken on traffic
that matches the specified conditions.[edit security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1]user@host# set then permit application-services idp
- Create another security policy for traffic
traversing in the other direction from Zone2 to Zone1.[edit]user@host# set security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2
- Specify the match conditions for the
traffic flowing in the other direction.[edit security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2]user@host# set match source-address any destination-address any application any
- Specify the action to be taken on traffic
that matches the conditions specified in the policy.[edit security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2]user@host# set then permit application-services idp
Results
From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying the Configuration
Purpose
Verify if the security policy configuration is correct.
Action
From operational mode, enter the show security policies command.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- IDP Policies Overview
- Understanding IDP Policy Rules
- Understanding IDP Policy Rulebases
Hide Navigation Pane
Show Navigation Pane
Download
SHA1
